All along the cyber attack continuum

Detecting cyberattacks earlier

By Sheldon Shaw, SAS

Many organizations use analytics as an integral part of their businesses operations — to proactively uncover hidden meaning behind customer behavior, improve service delivery and identify fraud, to name a few. More recently, analytics has also been a part of organizations’ IT security operations, though largely limited to forensic investigations. While forensics are an important tool in the security engineer’s toolbox, they only show what’s already happened. They can’t detect current threats in the network now.

Seeking better situational awareness — and earlier threat detection — organizations often capture network data and store it in massive data lakes for analysis. However, this practice has a limited effect on moving security analytics earlier in the kill chain. In the data lake, the network data may be in different collections or siloes, resulting in a less-than-full picture of the current security posture. As organizations further comprehend the potential of Hadoop, more will likely move their analytical capabilities closer to the data. With these capabilities where the data is, not where it’s stored, organizations can increase their understanding of what’s happening in their networks.

Security analytics on high-speed, high-volume data provides the best opportunity for organizations to review good and bad network traffic.

Here, security analytics can help reduce the time to detect a significant threat, identifying abnormalities indicative of threats during delivery, exploitation, installation or command and control activities. Security teams can then take the appropriate action to reduce the risk of further threat escalation and success.

Finding threats before the attacker has a widespread presence also helps the organization lower investigation and remediation costs. IT teams may have fewer devices that require reimaging or replacement, lowering operating costs. Detecting subtle behavioral anomalies on a dormant attacker is computationally more complex — an organization could spend more resources confirming exfiltration indicators than detecting suspicious behaviors before they became a problem.

Security analytics on high-speed, high-volume data provides the best opportunity for organizations to review good and bad network traffic, made possible by advances in hardware, software and streaming technologies. This behavioral security analytics requires a significant shift in security philosophy: we are no longer looking just for what we know to be bad, but are instead looking for divergence from known normal. With a better understanding now of what’s normal and what’s not, organizations can move the needle on threat detection.

Sheldon Shaw is a cyberanalytics specialist with SAS. Having spent 15 years in the intelligence community, Shaw worked in nuclear counter-proliferation issues and information operations. He has also managed investigative teams that tracked national security intrusions into government systems. He is a Certified Intrusion Analyst and holds a degree from Acadia University.